allow icmp

3 files changed, 17 insertions, 1 deletions

diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index 2e1cfc09..6d133ac9 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -447,7 +447,8 @@ def _get_config_scheme() -> Dict:
             },
 
             "firewall": {
-                "allow_tcp":    Option([], type=valid_ports_list),
+                "allow_icmp":   Option(True, type=valid_bool),
+                "allow_tcp":    Option([],   type=valid_ports_list),
                 "allow_udp":    Option([67], type=valid_ports_list),
                 "iptables_cmd": Option(["/usr/bin/iptables"], type=valid_command),
             },
diff --git a/kvmd/apps/otgnet/__init__.py b/kvmd/apps/otgnet/__init__.py
index d15f0a09..bd069342 100644
--- a/kvmd/apps/otgnet/__init__.py
+++ b/kvmd/apps/otgnet/__init__.py
@@ -43,6 +43,7 @@ from .netctl import BaseCtl
 from .netctl import IfaceUpCtl
 from .netctl import IfaceAddIpCtl
 from .netctl import IptablesDropAllCtl
+from .netctl import IptablesAllowIcmpCtl
 from .netctl import IptablesAllowPortCtl
 from .netctl import CustomCtl
 
@@ -64,6 +65,7 @@ class _Service:  # pylint: disable=too-many-instance-attributes
         self.__iface_net: str = config.otgnet.iface.net
         self.__ip_cmd: List[str] = config.otgnet.iface.ip_cmd
 
+        self.__allow_icmp: bool = config.otgnet.firewall.allow_icmp
         self.__allow_tcp: List[int] = sorted(set(config.otgnet.firewall.allow_tcp))
         self.__allow_udp: List[int] = sorted(set(config.otgnet.firewall.allow_udp))
         self.__iptables_cmd: List[str] = config.otgnet.firewall.iptables_cmd
@@ -91,6 +93,7 @@ class _Service:  # pylint: disable=too-many-instance-attributes
         ctls: List[BaseCtl] = [
             CustomCtl(self.__pre_start_cmd, self.__post_stop_cmd, placeholders),
             IfaceUpCtl(self.__ip_cmd, netcfg.iface),
+            *([IptablesAllowIcmpCtl(self.__iptables_cmd, netcfg.iface)] if self.__allow_icmp else []),
             *[
                 IptablesAllowPortCtl(self.__iptables_cmd, netcfg.iface, port, tcp)
                 for (port, tcp) in [
diff --git a/kvmd/apps/otgnet/netctl.py b/kvmd/apps/otgnet/netctl.py
index 874e904a..1e7f2289 100644
--- a/kvmd/apps/otgnet/netctl.py
+++ b/kvmd/apps/otgnet/netctl.py
@@ -58,6 +58,18 @@ class IptablesDropAllCtl(BaseCtl):
         return [*self.__base_cmd, ("-A" if direct else "-D"), "INPUT", "-i", self.__iface, "-j", "DROP"]
 
 
+class IptablesAllowIcmpCtl(BaseCtl):
+    def __init__(self, base_cmd: List[str], iface: str) -> None:
+        self.__base_cmd = base_cmd
+        self.__iface = iface
+
+    def get_command(self, direct: bool) -> List[str]:
+        return [
+            *self.__base_cmd,
+            ("-A" if direct else "-D"), "INPUT", "-i", self.__iface, "-p", "icmp", "-j", "ACCEPT",
+        ]
+
+
 class IptablesAllowPortCtl(BaseCtl):
     def __init__(self, base_cmd: List[str], iface: str, port: int, tcp: bool) -> None:
         self.__base_cmd = base_cmd